Share via

why doe key vault names have to be "worldwide unique"?

Wesley Kenis 0 Reputation points
2023-02-15T18:51:57.7266667+00:00

Why do key vault names have to be worldwide unique? this makes me assume that whatever name I come up with that makes any sense like "Developement", "Acceptance", "Production Security" or whatever has already been claimed by the "early adopters". In short, I have more chance of telling developers they should update the vault "mkhisdemhjlkrmlntsjhg mlkh mhnlj" rather than some meaningful name.

for me, this is a killer! hence I will not be adding more resources to any azure service that has this same idiotic approach: HOW CAN I EVER MAKE A NAME THAT IS NOT USED BY THE OTHERR7 BILLION PEOPLE ON THIS PLANET??? who came up with THAT idea? I can understand "has to be unique within your organization", but not the whole world unless you're defining a login for FB or some other anti-social platform.

Azure Key Vault
Azure Key Vault
An Azure service that is used to manage and protect cryptographic keys and other secrets used by cloud apps and services.
1,455 questions
0 comments

1 answer

Sort by: Most helpful
Most helpful Newest Oldest
  1. Marilee Turscak-MSFT 37,206 Reputation points Microsoft Employee Moderator
    2023-02-18T01:04:28.1666667+00:00

    Hi Wesley Kenis ,

    Thank you for your feedback about updating the Key Vault requirement so that the Key Vault name does not need to be globally unique.

    The reason that the Key Vault name needs to be unique is because the key vault, keys, and secretes are all accessed by the key vault URL: https://{vault-name}.vault.azure.net/

    Keys, secrets, and certificates within the vault are also accessed by the URL and object identifiers: https://{vault-name}.vault.azure.net/{object-type}/{object-name}/{object-version}

    The same requirement exists for Managed HSM pools and storage account names. The explanation for this design is documented in Azure Key Vault keys, secrets and certificates overview

    Since the endpoints differ across Azure Cloud, Azure China Cloud, Azure US Government, and Azure German Cloud, you could technically have a Key Vault with the same name as another Key Vault in a different region.

    There have been some requests to the product team to change this requirement, and I have shared your feedback with the product team as well. If you would like to leave feedback for them directly, you can also do that in the feedback forum. Someone else has also shared the same feedback here, which you can upvote and follow for updates. Feature requests are prioritized by upvotes so it will help to upvote the existing request.

    In the meantime, to speed up the process, one recommendation is to use checkNameAvailability in the Azure API to verify if a Key Vault name is valid and not already in use: 

    POST https://management.azure.com/subscriptions/{subscriptionId}/providers/Microsoft.KeyVault/checkNameAvailability?api-version=2022-07-01

    While you are probably already doing this, it also helps to adopt custom naming conventions to align the key vault names with a standard familiar to your organization (kv-description).

    I'll update this thread if I hear additional updates from the product team around this feature though.

    -

    If the information helped you, please Accept the answer. This will help us as well as others in the community who might be researching similar information.

    2 people found this answer helpful.
    0 comments

Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.